<div dir="ltr">Hi Daniel,<div><br></div><div>i) Kamailio acting as client ( IP 10.211.160.176) -> Kamailio acting as server ( IP 10.211.160.172) <b><u>[ Scenario 1 : Working as Expected ]</u></b></div><div><br></div><div> sni presented by 10.211.160.176 is <a href="http://btip.172.com">btip.172.com</a> in client hello, 10.211.160.172 picks below profile with server_name = <a href="http://btip.172.com/" target="_blank">btip.172.com</a> for tls handshake <b><u>// working as expected</u></b></div><div><br></div><div> [server:<a href="http://10.211.160.172:5061/" target="_blank">10.211.160.172:5061</a>]</div>method = TLSv1+<br>verify_certificate = yes<br>require_certificate = yes<br>private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key<br>certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt<br>ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt<br>cipher_list = RSA<br>verify_depth = 9<br>server_name = <a href="http://btip.172.com/" target="_blank">btip.172.com</a><div><br><div>ii) Kamailio acting as client ( IP 10.211.160.163) -> Kamailio acting as server ( IP 10.211.160.172) <b><u>
[ Scenario 2 : Working as Expected ]
</u></b></div><div><br></div><div>
sni presented by 10.211.160.163 is <a href="http://ctip.172.com">ctip.172.com</a> in client hello, 10.211.160.172 picks below profile with server_name = <a href="http://ctip.172.com/" target="_blank">ctip.172.com</a> for tls handshake <b><u>// working as expected</u></b></div><div> </div><div> [server:<a href="http://10.211.160.172:5061/" target="_blank">10.211.160.172:5061</a>]</div>method = TLSv1+<br>verify_certificate = yes<br>require_certificate = yes<br>private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key<br>certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt<br>ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt<br>cipher_list = RSA<br>verify_depth = 9<br>server_name = <a href="http://ctip.172.com/" target="_blank">ctip.172.com</a></div><div><br><div>iii) Kamailio acting as client ( IP 10.211.160.175) -> Kamailio acting as server ( IP 10.211.160.172) <b><u>
[ Scenario 3 : Not Working as Expected ]
</u></b><br></div></div><div><br></div><div>10.211.160.175 is <b>intentionally</b> <b>configured</b> in such a way, it does not send sni in client hello to 10.211.160.172</div><div>Now 10.211.160.172 should pick server default profile for tls handshake [ Right ?? ]</div><div>Instead it is picking server profile with server_name = <a href="http://ctip.172.com/" target="_blank">ctip.172.com</a> // <b><u>isnt this in correct ?? [ I have explained in previous email , why it is picking this profile in tls_lookup_cfg() ]</u></b></div><div><b><u><br></u></b></div><div>Regards,</div><div>Mahesh.B</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 6, 2020 at 3:21 PM Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com">miconda@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<p>trying to understand properly what you want to do and doesn't
work as expected ...</p>
<p>Is it that kamailio connects via tls to another server and it
does not present SNI?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 03.01.20 11:24, mahesh b wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Am using Kamailio 5.1.9 version.</div>
<div><br>
</div>
<div><u>Below is my tls.cfg</u></div>
<div><br>
</div>
<div>[server:default]<br>
method = TLSv1+<br>
verify_certificate = no<br>
require_certificate = no<br>
private_key = server.key<br>
certificate = server.crt<br>
ca_list = bundle.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
<br>
[client:default]<br>
verify_certificate = no<br>
require_certificate = no<br>
<br>
<br>
[server:<a href="http://10.211.160.172:5061" target="_blank">10.211.160.172:5061</a>]<br>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile2/btip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile2/btip_172_server_public.crt<br>
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://btip.172.com" target="_blank">btip.172.com</a><br>
<br>
<br>
[server:<a href="http://10.211.160.172:5061" target="_blank">10.211.160.172:5061</a>]<br>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile1/ctip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile1/ctip_172_server_public.crt<br>
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://ctip.172.com" target="_blank">ctip.172.com</a><br>
</div>
<div><br>
</div>
<div>My Kamailio server ip is 10.211.160.172</div>
<div><br>
</div>
<div>i)When i initiate a tls connection from remote server(which
is also a kamailio server) say 10.211.160.176 to
10.211.160.172 </div>
<div> In the client hello am setting sni name as <a href="http://btip.172.com" target="_blank">btip.172.com</a>
=> so on 10.211.160.172 side it is picking up the server
profile with serve_name <a href="http://btip.172.com" target="_blank">btip.172.com</a> for the tls
handshake.<b>// Working as expected</b></div>
<div><br>
</div>
<div>ii)When i initiate a tls connection from another remote
server(Which is also a kamailio server) say 10.211.160.163 to
10.211.160.172</div>
<div> In the client hello am setting sni name as <a href="http://ctip.172.com" target="_blank">ctip.172.com</a>
=> so on 10.211.160.172 side it is picking up the server
profile with serve_name <a href="http://ctip.172.com" target="_blank">ctip.172.com</a> for the tls
handshake.<b>// Working as expected</b></div>
<div><br>
</div>
<div>
<div>iii)When i initiate a tls connection from another remote
server(Which is also a kamailio server) say 10.211.160.175
to 10.211.160.172</div>
<div> In the client hello am NOT setting sni name => so
on 10.211.160.172 side should it pick up the server default
profile or the first profile to which IP and port matches ?</div>
</div>
<div> what i observe from logs is that it is picking up the
server profile with server_name <a href="http://ctip.172.com" target="_blank">ctip.172.com</a> for the tls
handshake.</div>
<div><br>
</div>
<div><br>
</div>
<div> I had a look at the code in function tls_lookup_cfg, from
the debug prints i understand it is trying to match profile
for IP and port</div>
<div><br>
</div>
<div>if ((p->port==0 || p->port == port) &&
ip_addr_cmp(&p->ip, ip))<b> // IP and port matched</b></div>
<div>{<br>
if(sname && sname->len>0)
<b>//Incoming Client hello dint have sname, so it will hit the
else part</b></div>
<div> {<br>
if(p->server_name.s &&
p->server_name.len==sname->len<br>
&& strncasecmp(p->server_name.s,
sname->s, sname->len)==0) </div>
<div> {<br>
LM_DBG("socket+server_name based TLS server
domain found\n");<br>
return p;<br>
}<br>
} </div>
<div> else</div>
<div> {<br>
return p; <b>// so it is returning the first profile to
which IP and port matched.</b><br>
}<br>
}<br>
<br>
</div>
<div><br>
</div>
<div>Am i missing anything or is this a bug ? if in the
clienthello there is no sni , what needs to be done to make
use of the default profile for the tls handshake ? Or is this
something fixed in latest.</div>
<div>I just Tried and Modified the code as below, after which it
is giving the server default profile when no sni in Incoming
Client Hello.</div>
<div><br>
</div>
<div>
<div>if ((p->port==0 || p->port == port) &&
ip_addr_cmp(&p->ip, ip)) </div>
<div>{<br>
if(sname && sname->len>0) </div>
<div> {<br>
if(p->server_name.s &&
p->server_name.len==sname->len<br>
&& strncasecmp(p->server_name.s,
sname->s, sname->len)==0) </div>
<div> {<br>
LM_DBG("socket+server_name based TLS
server domain found\n");<br>
return p;<br>
}<br>
} </div>
<div> else</div>
<div> {<br>
if( (type & TLS_DOMAIN_SRV) &&
(p->server_name.s) ) </div>
<div> {<br>
LM_DBG("Inside %s at
%d\n",__FUNCTION__,__LINE__);<br>
return cfg->srv_default;<br>
} </div>
<div> else </div>
<div> {<br>
LM_DBG("Inside %s at
%d\n",__FUNCTION__,__LINE__);<br>
return p;<br>
}<br>
}<br>
}</div>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Mahesh.B</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Kamailio (SER) - Users Mailing List
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio World Conference - April 27-29, 2020, in Berlin -- <a href="http://www.kamailioworld.com" target="_blank">www.kamailioworld.com</a></pre>
</div>
</blockquote></div>